I used the Acme lets encrypt to generate server/exchange/iis certs and I was never prompted to choose to use the same private key when it auto renews. Can I adjust this in a config file? How do I make them use the same private keys when they renew? I need the thumbprint to stay the same since thats what they are binded too. (not my choice its certain applications choices)
"Acme lets encrypt" doesn't actually let us know what software you're using: ACME is a protocol used by many Certificate Authorities, and Lets Encrypt is one particular CA that this is the community forum for.
If you're using certbot, which is one particular popular client, you can get your certificate name with certbot certificates (it's usually the same as one of the domain names on the certificate), and then run certbot reconfigure --cert-name (name) --reuse-key to set the configuration to reuse the key. (Probably, I haven't actually tested it myself.)
If you're using some other client, you'll have to give more information.
(And it sounds like you already know this, but having something tied to a specific key is fraught with peril. And "thumbprint" may refer to just the public key, or may refer to the whole certificate, and it's only the key that you can keep the same. Also, there should be at least a backup key you can switch to in the case of compromise. These sorts of applications are usually better served by a private PKI instead of trying to overload the public Web PKI with them.)
3 Likes
The popular and maintained windows clients include PoshACME and CertifyTheWeb. PoshACME reuses the keys by default; CertifyTheWeb does not. Both clients can be configured to flip their behavior around.
3 Likes
Just to clarify, the certificate thumbprint will not stay the same even if you reuse the private key because the thumbprint is a hash of the entire certificate which includes information that changes (dates, serial, issuer etc).
You will need to be specific about which acme client you are using but all the main ones on Windows can update the IIS bindings to the latest cert thumbprint, or you can script the binding update in Powershell.
If your motivation is to avoid an IIS reload due to applicationhost.config being touched, or if you just don't want to update bindings, use the IIS CCS (centralised certificate store) feature, this loads the latest cert from a directory/share based on file name matching domain name and completely avoids binding updates.
3 Likes
I am using win-acme.v2.2.9.1701.x64.pluggable. I didn't generate the cert to automatically push to the bindings since this is our first go at using acme vs. entrust. So I put the certs in the personal store to pull them from there. Which seems like a poor choice hindsight. But... I can fix it via a ps script to the config file it seems?
I would just remove the current certificate renewal config in the app and add a new one with the right settings, run it as administrator so that it can update the IIS bindings, and choose that option in the app. Subsequent renewals will update the same bindings.
I would suggest switching to simple-acme as win-acme is no longer maintained. I work on https://certifytheweb.com which also provides equivalent functionality.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.